<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>PF: Getting Started</title>
<link rev="made" href="mailto:www@openbsd.org">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta name="resource-type" content="document">
<meta name="description"   content="the OpenBSD FAQ page">
<meta name="keywords"      content="openbsd,faq,pf">
<meta name="distribution"  content="global">
</head>

<!--
Copyright (c) 2003, Nick Holland <nick@openbsd.org>
Copyright (c) 2003, 2004, Joel Knight <enabled@myrealbox.com>

Permission to use, copy, modify, and distribute this documentation for
any purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all copies.

THE DOCUMENTATION IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
WARRANTIES WITH REGARD TO THIS DOCUMENTATION INCLUDING ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS DOCUMENTATION
-->

<body bgcolor="#ffffff" text="#000000">
<!-- Passes validator.w3.org, please keep it this way;
please, use a max of 72 chars per line -->

<a href="../../index.html">
<img alt="[OpenBSD]" height=30 width=141 src="../../images/smalltitle.gif" border="0">
</a>
<p>
[<a href="index.html">Contents</a>]
[<a href="macros.html">Next: Lists and Macros</a>]

<p>
<h1><font color="#e00000">PF: Getting Started</font></h1>

<hr>

<h3>Table of Contents</h3>
<ul>
<li><a href="#activate">Activation</a>
<li><a href="#config">Configuration</a>
<li><a href="#control">Control</a>
</ul>

<hr>

<a name="activate"></a>
<h2>Activation</h2>
To activate PF and have it read its configuration file at boot, add the line
<blockquote>
<tt>
pf=YES
</tt>
</blockquote>
to the file
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rc.conf.local&amp;sektion=8"
>/etc/rc.conf.local</a>.

<p>
Reboot your system to have it take effect.

<p>
You can also activate and deactivate PF by using the
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&amp;sektion=8&amp;manpath=OpenBSD+4.3"
>pfctl(8)</a> program:

<blockquote>
<tt>
# pfctl -e<br>
# pfctl -d
</tt>
</blockquote>

<p>
to enable and disable, respectively.
Note that this just enables or disables PF, it doesn't actually load a
ruleset.  The ruleset must be loaded separately, either before or after
PF is enabled.


<a name="config"></a>
<h2>Configuration</h2>
<p>
PF reads its configuration rules from 
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&amp;sektion=5&amp;manpath=OpenBSD+4.3"
><tt>/etc/pf.conf</tt></a> at boot
time, as loaded by the
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rc&amp;sektion=8"
>rc scripts</a>.  Note that while 
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&amp;sektion=5&amp;manpath=OpenBSD+4.3"
><tt>/etc/pf.conf</tt></a> is the default and is
loaded by the system rc scripts, it is just a text file loaded and interpreted
by 
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&amp;sektion=8&amp;manpath=OpenBSD+4.3"
>pfctl(8)</a> and inserted into
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pf&amp;sektion=4&amp;manpath=OpenBSD+4.3"
>pf(4)</a>.  For some applications, other rulesets may be loaded from other
files after boot.  As with any well designed Unix application, PF offers great
flexibility.

<p>
The <tt>pf.conf</tt> file has seven parts:
<ul>
<li><b><a href="macros.html">Macros:</a></b> User-defined variables that
can hold IP addresses, interface names, etc.
<li><b><a href="tables.html">Tables:</a></b> A structure used to hold
lists of IP addresses.
<li><b><a href="options.html">Options:</a></b> Various options to
control how PF works.
<li><b><a href="scrub.html">Scrub:</a></b> Reprocessing packets to
normalize and defragment them.
<li><b><a href="queueing.html">Queueing:</a></b> Provides bandwidth
control and packet prioritization.
<li><b><a href="nat.html">Translation:</a></b> Controls Network Address
Translation and
<a href="rdr.html">packet redirection</a>.
<li><b><a href="filter.html">Filter Rules:</a></b> Allows the selective
filtering or blocking of packets as they pass through any of the
interfaces.
</ul>

<p>
With the exception of macros and tables, each section
should appear in this order in the configuration file, though not all
sections have to exist for any particular application.

<p>
Blank lines are ignored, and lines beginning with <tt>#</tt> are treated
as comments.

<a name="control"></a>
<h2>Control</h2>
After boot, PF operation can be managed using the 
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&amp;sektion=8&amp;manpath=OpenBSD+4.3"
>pfctl(8)</a> program.  Some example commands are:

<pre>
     # pfctl -f /etc/pf.conf     <i>Load the pf.conf file</i>
     # pfctl -nf /etc/pf.conf    <i>Parse the file, but don't load it</i>
     # pfctl -Nf /etc/pf.conf    <i>Load only the NAT rules from the file</i>
     # pfctl -Rf /etc/pf.conf    <i>Load only the filter rules from the file</i>

     # pfctl -sn                 <i>Show the current NAT rules</i> 
     # pfctl -sr                 <i>Show the current filter rules</i>
     # pfctl -ss                 <i>Show the current state table</i>
     # pfctl -si                 <i>Show filter stats and counters</i>
     # pfctl -sa                 <i>Show EVERYTHING it can show</i>
</pre>

<p>
For a complete list of commands, please see the
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&amp;sektion=8&amp;manpath=OpenBSD+4.3"
>pfctl(8) man page</a>.

<p>
[<a href="index.html">Contents</a>]
[<a href="macros.html">Next: Lists and Macros</a>]

<p>
<hr>
<a href="index.html"><img height="24" width="24" src="../../images/back.gif" border="0" alt="[back]"></a> 
<a href="mailto:www@openbsd.org">www@openbsd.org</a>
<br>
<small>$OpenBSD: config.html,v 1.24 2008/07/27 17:13:47 nick Exp $</small>

</body>
</html> 
